Tuesday, August 30, 2005

Interview with Def Con CTF Winning Team Member Vika Felmetsger

Earlier this month I congratulated the Def Con Capture The Flag winners from Giovanni Vigna's team. One of the contestants, Vika Felmetsger, was kind enough to answer questions about her experience and the role she played on team Shellphish. I thought I would publish Vika's thoughts in the hopes that she could provide an example of how one becomes a serious security practitioner.


Richard (R): What is your experience with security, and what are your interests?

Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB, where I work as a research assistant in the Reliable Software Group (RSG).

Everybody in the group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area.

As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particular, was last fall when I took "Network Security and Intrusion Detection," which is a class taught by my graduate advisor Prof. Giovanni Vigna.

In this class I learned various techniques that can be used to break the security of computer systems, how to detect attacks, and how to protect a system against possible attacks.

Most importantly, as a part of the classwork, every student was able to apply the learned techniques to write actual exploits to attack various vulnerabilities in real programs within a testbed network.

Also, during the class, I participated in two Capture The Flag (CTF) exercises (which are organized every year by Prof. Vigna) where, together with other students in the class, I could practice attacking other systems as well as defending my team's system. As a result, after that class, I had the background necessary to further develop my hacking skills on my own as well as be able to work on various security problems.

Later I was very lucky to be involved in setting up the UCSB International CTF which was organized by Prof. Vigna on June 10th, 2005. This provided me with a valuable experience being on the organizers' side and helped me to improve my system administration, networking, and network traffic analysis skills.

R: How did you join team Shellphish?

V: Hmmm, I did not really join the team ... Everybody in the RSG is a member of the Shellphish team :-).

R: Did you have a specific role on the team? If yes, can you describe it?

V: During the DefCon CTF I was a "human IDS." I was analyzing (using scripts and manually) network traffic in real time looking for attacks on our system. This helped the team to discover many successful attacks on our system, find out which particular vulnerabilities were exploited, patch the system, and even reuse some of the attacks against the other teams.

[Note: Against sophisticated intruders, only human analysts can prevail.]

R: What was it like to compete at Def Con? Did it meet your expectations?

V: I was dreaming about competing at DefCon the whole year and it certainly met my best expectations! :-) I don't have enough words to describe the feeling that I had sitting 3 days straight in front of the computer when I was absolutely consumed by the game. That is something everybody should experience for him/herself ;-).

I was very lucky to be a part of such an amazing team, to work together with the people whom I highly respect and from whom I have so many things to learn. What can be better?

When we came to DefCon this year, we did not care that much about winning, we simply wanted to enjoy ourselves doing the things that everybody in the team is fascinated with. And, it certainly worked out perfectly!

R: Do you plan to compete next year?

V: Of course.

R: What advice could you give to those who might like to compete, or have skills like yours?

V: Well, I am probably not the best person to give advices right now because I am still have a long way to go myself, but if you ask ;-) ...

Knowing theory is not enough, you need to practice everything that you read about hacking or security (I don't mean attacking real systems, of course ;-).

There are many ways to do it, for example, install known vulnerable software on your own machine and write an exploit for it.

Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for the quals anyway and try it for yourself.

From my own experience, I can say that I learned many practical things from this year quals, not to mention that it was incredibly fun :-). Also, what I am planning on working now is to improve my scripting skills which are very important when competing in real time.


Thanks to Vika for responding to my questions.

If you like these sorts of interviews, let me know. I plan to incorporate these sorts of stories into the TaoSecurity Podcast, when I get time to launch it.

9 comments:

Silver_h said...

Hi !!
what a nice interview !!! I didn't suspect the existence of such CTF contest and i think it must be a really funny and amazing thing !!!

Anonymous said...

Yes, more interviews would be nice. Hard techie content is good, but stuff like this makes a nice break from it too. :)

Anonymous said...

New pick-up line: Can I interview you?

Good work.

Anonymous said...

Yeah, interviews are nice and fun. I like getting insight into things like this...and it lets us hear some of the other names out there in the world of security.
- LonerVamp

Anonymous said...

cute russian security analyst is what the world need :)

Anonymous said...

there was a technical article here? sorry couldnt get past the picture..

j_kenpo said...

OK, calm down... I don't want to turn the hose on your guys. It’s a wonder why more women don’t get into security with attention like this ;)

Seriously, good interview. The main thing I liked about this interview is that she is a beginner. For some of the more “green” security practitioners out there, hearing from someone who is at this level and how they are gaining experience is great. Too often, we hear from “experts”, which some of the more advanced concepts can intimidate the younger folk. Interviews like this, especially from someone like her who is demonstrating how she is getting valuable experience and knowledge and has participated in something that has gainer attention in the security field, is priceless for some of those who are looking to get a foot hold in this field or broaden the horizons of some of the more experienced folk who are a little too set in their ways.

She points out some great failings with traditional college security tracks. If more schools did live "capture the flag" exercises and use learned skills in not only using canned exploits, but writing their own, the quality of analyst turned out would be much higher. The only real problem with this approach is that colleges do not have a real Code of Ethics. So these skills and lack of a Code of Ethics can easily turn a white hat into a black hat (not saying that a COE physically prevents this, but it is a step in the right direction…). We tried to set something similar up at our old NSM operation that I worked for. To a certain extent I still use these kinds of exercises on my own using Vmware with different OS (from W95 up, from Redhat Linux 4 up, etc) going through the whole scanning, enumeration, exploit process and monitor it to get a good feel for what recon and attacks look like.

Great interview, you should do more of them.

atlas said...

"Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for the quals anyway and try it for yourself. "

Excellent advice. I did just that. Turns out the quals themselves taught me more about security and exploitation than anything previous... tied theory to reality and pushed me to do something I always considered something for immortals. The kenshoto folken spent an excruciating amount of time creating apps/services to exploit, some easy and some very challenging. So sit right down with your favorite hacking book (Hacking: The Art of Exploitation is always a good one) and enjoy the mind-bending adventure that will ensue... Just do it.

@

ps. Vika was indeed a distraction to the rest of the teams. I wonder if that's part of their strategy! :)

A friend allowed me to post to his blog a little about CTF:
http://digitalLegacy.blogspot.com/

Silver_h said...

What J_Kenpo said about school way of teaching is really true and i realy do think it might be great if Universities plan much more things like CTF. Actually i'm a student in safety and security (much more safety than security) and lessons i'm having there are more theoretical than practicing (learning protocols, cryptography, formal programming etc...). It's obvious Theory is needed but practicing too !!!